CodeBuildECR
Securely push images to Amazon ECR using CodeBuild with this IAM policy. Learn how to grant CodeBuild the necessary permissions for ECR access.
CodeBuild ECR Policy
This IAM policy allows CodeBuild to push images to Amazon ECR. Use this policy to grant CodeBuild the necessary permissions to access your ECR repository.
IAM Policy for CodeBuild ECR Access
Below is the JSON representation of the IAM policy. This policy grants permissions to get authorization tokens, initiate layer uploads, upload layer parts, complete layer uploads, check layer availability, and put images into your ECR repository.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage"
],
"Resource": [
"arn:aws:ecr:eu-west-1:xxxxxxxxxxxx:repository/myrepo"
]
}
]
}
Explanation of Permissions
This policy includes the following permissions:
ecr:GetAuthorizationToken
: Allows CodeBuild to retrieve an authentication token to authenticate with ECR.ecr:InitiateLayerUpload
: Allows CodeBuild to initiate the upload of a new image layer.ecr:UploadLayerPart
: Allows CodeBuild to upload parts of an image layer.ecr:CompleteLayerUpload
: Allows CodeBuild to finalize the upload of an image layer.ecr:BatchCheckLayerAvailability
: Allows CodeBuild to check the availability of image layers.ecr:PutImage
: Allows CodeBuild to put (upload) an image into the ECR repository.
How to Use This Policy
- Create an IAM role for your CodeBuild project.
- Attach this policy to the IAM role.
- Replace
arn:aws:ecr:eu-west-1:xxxxxxxxxxxx:repository/myrepo
with the actual ARN of your ECR repository. - Configure your CodeBuild project to use the IAM role.
Additional Resources
For more information about AWS IAM policies and Amazon ECR, refer to the following resources: